Microsoft, IBM, Google and Other Tech Giants Team Up to Prevent the Next ‘Heartbleed’

Technology giants including Google and International Business Machines have committed to collectively give more than $3 million to support the free, widely used computer code that underpins the Internet.

As participants in the Core Infrastructure Initiative, the companies will each provide $100,000 a year for a minimum of three years. The money will back projects aimed at improving open source software, code that can be modified and used by individuals and companies for free. While the total may be loose change for the tech firms, it could be quite a sum for open source developers, many of whom do work in their free time for little or no pay.

Recruiting for the initiative kicked into gear following the disclosure of the Heartbleed bug, a vulnerability in OpenSSL, an open source encryption tool used by a large portion of the Internet. The flaw could have affected two-thirds of active websites and potentially exposed troves of sensitive customer data.

Open source software is often seen as more secure than proprietary software. The more eyes on the code, the thinking goes, the more opportunity there is to improve on that code and spot potential issues.

“In this case, no one was looking at the code,” Jim Zemlin, executive director of the Linux Foundation, told CIO Journal. Heartbleed was the catalyst for launching the project, he said. “Can we together take a broader view and maybe lower the risk that the next Heartbleed will happen? I do think that is the case, with a modicum of resources.”

Open source software pervades the systems and software companies and consumers use every day, but many open source developers do so for little or no pay during their free time. “We have to provide resources in a way that allows them to operate the way they have been operating, in a way that allows them to do it full time without having to worry about their next meal,” Zemlin said.

The initiative will look across the spectrum of open source projects and determine which ones could be significantly aided by some funding. Support could include paying developers to work on new projects, funding security audits or improving computing infrastructure.

The first project being considered for funding will be OpenSSL, according to a statement from the Linux Foundation. Project proposals would be brought to a steering committee that would then vote on how to allocate money, Zemlin said. The WSJ reported earlier that at the time of Heartbleed’s discovery, OpenSSL was managed by just four European programmers, only one of whom counted it as his full-time job.

Mark Shuttleworth, founder of Linux operating system distributor Canoncial Ltd., voiced his “full support for this initiative.” He said Heartbleed “opened the world’s eyes to the extent to which open source is vital to vast tracts of infrastructure and makes it real to a much broader cross section of business and society.”

Still, he said the initiative should only be a first step in developing institutions capable of policing open source software. Ultimately, he said, other institutions will have to be created in order to ensure that not only software developers, but also security researchers and others involved in cybersecurity, have access to these kinds of resources. “The deep challenge is to figure out how to create a combination of openness and governance and sustainability for these widely used pieces of open source software that doesn’t just address the crisis of the day, but ultimately gives us more confidence in our ability to both avoid and respond to potential crises in the future,” he told CIO Journal.

Zemlin, who said future backers could include governments and members of the financial services industry, among others, hopes the initiative will serve as an outlet for anyone with a stake in open source to propose a project.

Calling open source “core to our strategy and development,” New England BiolabsInc. CIO Ken Grady said many of the company’s scientific apps, such as those used for gene assembly and other experimental design tools, are open source. He said the firm’s heavy reliance on open source makes it “critical that we monitor and patch frequently to address threats,” including for serious flaws such as Heartbleed.

TradeMonster Group Inc., an online trading platform in Chicago, uses open source software as much as possible both in its trading system and internally, chief technology officer Sanjib Sahoo said. The company goes through a lot of work to test open source software before running it in its network.

Many companies that want to save money with open source software don’t do enough testing, he said. “They don’t go through a lot of security, performance and compatibility testing.” TradeMonster was not impacted by the Heartbleed flaw in OpenSSL as it didn’t use the version of the software that was vulnerable, Sahoo said.

– Michael Hickins, Rachael King and Clint Boulton contributed to this article.